Apache Tomcat Vulnerabilities: A Critical Look

The Apache Software Foundation has made headlines once again, this time shining a light on significant vulnerabilities that affect Apache Tomcat—the widely-used open-source Java servlet container that underpins countless web applications. On October 27, 2025, Apache disclosed two critical vulnerabilities, designated CVE-2025-55752 and CVE-2025-55754, which pose serious risks across multiple versions of Tomcat.

Understanding the Vulnerabilities

CVE-2025-55752: Directory Traversal Flaw

The first and more severe vulnerability, CVE-2025-55752, revolves around a directory traversal bug that slipped in during the resolution of an earlier issue (bug 60013). This flaw enables attackers to exploit Tomcat’s URL rewriting capabilities, allowing them to manipulate query parameters to bypass security measures that protect sensitive directories such as /WEB-INF/ and /META-INF/.

• Risk Assessment: If certain configurations are enabled—particularly those that allow PUT requests—attackers can upload malicious files resulting in remote code execution (RCE). Discovered by Chumy Tsai from CyCraft Technology, this vulnerability has been rated with an Important severity, highlighting its significant impact on unpatched systems running Tomcat in production environments.

• Affected Versions: The vulnerability affects Apache Tomcat versions 11.0.0-M1 to 11.0.10, 10.1.0-M1 to 10.1.44, and 9.0.0-M11 to 9.0.108, along with various end-of-life (EOL) releases.

CVE-2025-55754: Console Manipulation via Log Escapes

The second vulnerability, CVE-2025-55754, relates to improper handling of ANSI escape sequences in Tomcat’s log messages. On Windows systems with ANSI-supporting consoles, attackers could craft URLs that inject specific sequences, potentially leading to console manipulation, clipboard access, or even tricking administrators into executing unauthorized commands.

• Risk Assessment: Although rated as Low severity, the implications of this flaw are concerning, especially when considered alongside other vulnerabilities. It affects versions 11.0.0-M1 to 11.0.10, 10.1.0-M1 to 10.1.44, and 9.0.0.40 to 9.0.108, including select older versions like 8.5.60 to 8.5.100.

• Discovery: This issue was identified by Elysee Franchuk of MOBIA Technology Innovations and arises from logs that do not escape control sequences, leaving them open to manipulation without requiring authentication.

Technical Breakdowns

Directory Traversal Details

The crux of CVE-2025-55752 lies in how Tomcat handles rewritten URLs. Due to a regression, URL normalizations occur before decoding, which allows path manipulation that can exploit security constraints. This unsettling sequence enables attackers to craft URLs that bypass established protections, potentially leading to significant unauthorized access.

Console Manipulation Mechanics

In the case of CVE-2025-55754, the improper neutralization of ANSI sequences in logs means that crafting the right URL can disrupt console behavior drastically. Although no direct attack vector was established for operating systems beyond Windows, there remains a social engineering risk where administrators may be misled into executing unintended commands due to deceptive console outputs.

Mitigations: Taking Action

Apache has responded to these vulnerabilities by urging users to upgrade to mitigated versions: Tomcat 11.0.11, 10.1.45, or 9.0.109 and later. These updates address the vulnerabilities through improved handling of URL processes and enhanced log escaping mechanisms.

Organizations utilizing Tomcat are strongly advised to audit their configurations, especially those permitting PUT requests in conjunction with URL rewrites. Given the pervasive use of Tomcat in Java applications, any unpatched instances may become targets for attacks, reminiscent of past vulnerabilities like CVE-2025-24813.

With these developments, it’s clear that immediate action is required to ensure the security of systems reliant on Apache Tomcat. Keeping abreast of these vulnerabilities not only enhances enterprise security but also contributes to a more secure digital landscape overall.